Security

Hello i have got  a question about this

On the authentication source when you configuring it on primary, you suppose to input  the host name for example  dc.demolab.local  Right?

But if that one goes that then it doesnt work

 

I was wondering if you input only the domain like  demolab.local it will work, i mean as it should search which active directory works?  it seems to work, but i dont know if its not recommended, if its not secure or something like that ?

In the manual it says that you input the host name

 

I though that  if you had 3 active directory then you had to configure 3 authentication sources and add them to the services.   But just putting the domain seems to work.

 

Any comment about this would be appreciated.

 

Cheers

Carlos

Are you asking if dc.demolab.local were to go down, and you have the other two servers added as authentication sources, will it still authenticate to the other two?

 iwas asking that how i should add it to the host name?

like dc1.demo.local

or

 

demo.local

 

 

If o add it like dc1.demo.local if that server goes down then i cant authenticate

 

If i add it like demo.local and i got other domain servers like dc2.demo.local and dc3.demo.local  then server will keep up ç

 

 

Or the third option which will be creating 3 authenticating sources and adding all of them on the service as authenticating source

 

Cheers

Carlos

If you are using EAP PEAP MsCHAPv2 then you have to join CPPM to AD domain.

Use AD account which have ability to add computer to domain. 

You do not need to join ClearPassPolicy Manager to multiple domains belonging to the same Active Directory forest, because a one-way trust relationship exists between these domains. In this case, you should join CPPM to the root domain.

 

In latest version we have new feature were Clearpass automatically send request to nearest AD ito client if primary goes down or not reachable.  In previous we use to specify order list of servers in password server list,  which server request should go if first server is not reachable. 

i guess im not explaning myself correctly, as my english is bad im sorry.

 

im not talking about adding the clearpass to the domain controller

im referring only to the authenticating source which you have to configure in the service

in this case im referring tacacs  to authenticate in the same clearpass.

 

I configured the authentication source here

 

on the service ill have something like this configured

 

if alternetworks dc goes down which is the one i declared as authentication source  then noone will be able to authenticate.   But i just included one server there one name.

 

 

Now IF instead o putting dc01.alterneworks.local i put alternetworks.local on hostname, this does not happen as it will just search for another AD for example a dc02 or a dc03 it seems.

 

My question was

Is there any issue if i configure it like that?

At least on the manual it tells you to configure it as a host name which means dc01.alternetworks.local  NOT the domain...  but i dont know.

 

Cheers

Carlos

Hey Carlos you can add the domain name and allow DNS to return the AD server that is available ,ClearPass caches the LDAP queries of successful authentications for 5 minutes so it doesn’t have to perform a lookup every time the user authenticates

Sent from Mail for Windows 10

One thing to consider is that in most deployments there are 'more preferred' AD servers over others. For example if you have remote sites. With putting the domain name in, which basically is a DNS record with multiple A-records, ClearPass will just pick one. By entering primary and one or more backups, you better control where the LDAP lookups will go.

thanks hernan, victor and everyone!!

 

Cheers

Carlos